0

I have a RHEL server in which I have configured an audit rule to log a specific event. I wanted to forward those logs to a remote syslog server. I couldn't find a way to forward those specific logs so I configured forwarding for all audit logs to remote server due to which /var/log in the remote syslog server is getting full frequently. I have 2 ways to fix this problem but I cannot find a technical solution for either.

  1. Log the events of that specific rule to a separate log file or if possible, directly to the remote syslog server
  2. Forward the audit logs generated by that specific rule only to remote syslog server

Any other solution is much appreciated.

Prateek Bansal
  • 19

1 Answers1

0

Here is RH solution (need account):

Install audisp-syslog plugin

[root@r88 ~]# dnf install audispd-plugins
[root@r88 ~]# vi /etc/audit/plugins.d/syslog.conf
active = yes
args = LOG_INFO LOG_LOCAL3

Edit syslog configuration /etc/rsyslog.conf and add a line sending local3.info

[root@client ~]# vi /etc/rsyslog.conf
#[..]
local3.info        @remote.syslog.example.com
local3.info        stop

Restart the syslog daemon and audit services:

Romeo Ninov
  • 17,484